[squid-users] cache-peer and tls
Eugene M. Zheganin
emz at norma.perm.ru
Sat Aug 3 14:11:21 UTC 2019
Hello,
I'm using squid 4.6 and I need to TLS-encrypt the session to the parent
proxy. I have in config:
cache_peer proxy.foo.bar parent 3129 3130 tls
tls-cafile=/usr/local/etc/squid/certs/le.pem
sslcert=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/cert.pem
sslkey=/usr/local/etc/letsencrypt/live/vpn.enazadev.ru/privkey.pem
sslflags=DONT_VERIFY_DOMAIN,DONT_VERIFY_PEER
But no matter what I'm doing, squid keeps telling in logs that he
doesn't like the peer certificate:
2019/08/03 18:42:24 kid1| ERROR: negotiating TLS on FD 23:
error:14090086:SSL routines:ssl3_get_server_certificate:certificate
verify failed (1/-1/0)
2019/08/03 18:42:24 kid1| temporary disabling (Service Unavailable)
digest from proxy.foo.bar
and then he's going directly bypassing the peer. :/
Is there any way to tell him that I don't care ?
I've also tried to actually tell him about the CA cert with
tls-cafile=/usr/local/etc/squid/certs/le.pem above, this doesn't work
either.
Thanks.
Eugene.
More information about the squid-users
mailing list